How to create an SHA-512 hashed password for shadow?

Question

The previous SF questions I've seen have lead to answers that produce MD5 hashed password.

Does anyone have a suggestion on to produce an SHA-512 hashed password? I'd prefer a one liner instead of a script but, if a script is the only solution, that's fine as well.

Update

Replacing previous py2 versions with this one:

python3 -c "import crypt;print(crypt.crypt(input('clear-text pw: '), crypt.mksalt(crypt.METHOD_SHA512)))"

Answer 1

Edit: Please note this answer is 10+ years old.

Here's a one liner:

python -c 'import crypt; print crypt.crypt("test", "$6$random_salt")'

Python 3.3+ includes mksalt in crypt, which makes it much easier (and more secure) to use:

python3 -c 'import crypt; print(crypt.crypt("test", crypt.mksalt(crypt.METHOD_SHA512)))'

If you don't provide an argument to crypt.mksalt (it could accept crypt.METHOD_CRYPT, ...MD5, SHA256, and SHA512), it will use the strongest available.

The ID of the hash (number after the first $) is related to the method used:

• 1 -> MD5
• 2a -> Blowfish (not in mainline glibc; added in some Linux distributions)
• 5 -> SHA-256 (since glibc 2.7)
• 6 -> SHA-512 (since glibc 2.7)

I'd recommend you look up what salts are and such and as per smallclamgers comment the difference between encryption and hashing.

Update 1: The string produced is suitable for shadow and kickstart scripts.
Update 2: Warning. If you are using a Mac, see the comment about using this in python on a mac where it doesn't seem to work as expected.

On macOS you should not use the versions above, because Python uses the system's version of crypt() which does not behave the same and uses insecure DES encryption. You can use this platform independent one liner (requires passlib – install with pip3 install passlib):

python3 -c 'import passlib.hash; print(passlib.hash.sha512_crypt.hash("test"))'

Answer 2

On Debian you can use mkpasswd to create passwords with different hashing algorithms suitable for /etc/shadow. It is included in the package whois (according to apt-file)

mkpasswd -m sha-512
mkpasswd -m md5

to get a list of available hashing algoritms type:

mkpasswd -m help 

HTH

Answer 3

Best Answer: grub-crypt

Usage: grub-crypt [OPTION]...
Encrypt a password.

-h, --helpPrint this message and exit
-v, --version           Print the version information and exit
--md5                   Use MD5 to encrypt the password
--sha-256               Use SHA-256 to encrypt the password
**--sha-512             Use SHA-512 to encrypt the password (default)**

Answer 4

Here's a short C code to generate the SHA-512 password on various Unix type OSes.

File: passwd-sha512.c

#define _XOPEN_SOURCE
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

int main(int argc, char *argv[]) {
  if ( argc < 3 || (int) strlen(argv[2]) > 16 ) {
    printf("usage: %s password salt\n", argv[0]);
    printf("--salt must not larger than 16 characters\n");
    return;
  }

  char salt[21];
  sprintf(salt, "$6$%s$", argv[2]);

  printf("%s\n", crypt((char*) argv[1], (char*) salt));
  return;
}

to compile:

/usr/bin/gcc -lcrypt -o passwd-sha512 passwd-sha512.c

usage:

passwd-sha512 <password> <salt (16 chars max)>

Answer 5

Surprising that no answer suggests the simple openssl passwd command with the -6 option. Maybe it wasn't available yet in 2011?

If you don't care providing the password on the command-line (risking it staying in the command history), then you can do:

openssl passwd -6 YourPassword

It will generate the salt, and output a line like this:

$6$/57kpVAA/kuPUtzV$Ugxo0RTL2uXCvU7WH43c1qn0quMy2ve.qiBYJPG75tFgTN8gI5Jp/FYPXFOzIsASqVTqM42kjN2805VYLHKzm1

With the stdin option, it can also read the password from STDIN (or a file), so you don't leave it behind in the history:

openssl passwd -6 -stdin

Answer 6

Perl one-liner solution to generate SHA-512 hashed password:

perl -le 'print crypt "desiredPassword", "\$6\$customSalt\$"'

Worked on RHEL 6

Answer 7

Why not perform the following check and modification to Centos/RHEL machines to ensure that all password hashing for /etc/shadow is done with sha512. Then you can just set your passworkd normally with the passwd command

#Set stronger password hasing
/usr/sbin/authconfig --test | grep sha512 > /dev/null
if [ $? -ne 0 ]; then
echo "Configuring sha512 password hashing"
sudo /usr/sbin/authconfig --enableshadow --passalgo=sha512 --updateall
fi

Answer 8

Here is a one-liner that uses shell commands to create a SHA-512 hashed password with a random salt:

[root@host] mkpasswd -m sha-512 MyPAsSwOrD $(openssl rand -base64 16 | tr -d '+=' | head -c 16)

Notes

1. You may need to install the "whois" package (Debian, SuSE, etc.), which provides "mkpasswd".
2. See crypt(3) for details on the format of lines in "/etc/shadow".

Answer 9

Read the comment below to learn about security implications of this answer

For those of the Ruby mindset here is a one-liner:

'password'.crypt('$6$' + rand(36 ** 8).to_s(36))

Answer 10

This script worked for me on Ubuntu 12.04 LTS: https://gist.github.com/JensRantil/ac691a4854a4f6cb4bd9

#!/bin/bash
read -p "Enter username: " username
read -s -p "Enter password: " mypassword
echo
echo -n $username:$mypassword | chpasswd -S -c SHA512

It has the following features which some of the other alternatives lack:

• It generates its salt securely. Nobody should rely on doing this manually. Ever.
• it doesn't store anything in shell history.
• for clarity, it prints which user's password it generated which can be nice when generating many users' passwords.

Answer 11

After the Customer changes the password, you can copy the encrypted password from /etc/shadow to the kickstart file. How to do it:

export CRYPTED_PASSWORD=$(grep root /etc/shadow | cut –d ”:” –f 2)
echo "s;rootpw -–iscrypted .*;rootpw –-iscrypted $CRYPTED_PASSWORD;" > sed_script
sed –i –f sed_script template.ks

Answer 12

HASH algos are for producing MESSAGE digests, they are never suitable for passwords, which should use some kind of HKDF ( http://tools.ietf.org/rfc/rfc5869.txt ) - see PBKDF2 or BCrypt

Answer 13

#!/usr/bin/env python

import getpass

from passlib.hash import sha512_crypt

if __name__ == "__main__":
    passwd = getpass.getpass('Password to hash: ')
    hash = sha512_crypt.encrypt(passwd)

    print hash

You can clone it from my github repo if you want: https://github.com/antoncohen/mksha

Answer 14

Its not a one liner, but it might help someone:

import crypt, getpass, pwd, string, sys, random
randomsalt = ""
password = getpass.getpass()
choices = string.ascii_uppercase + string.digits + string.ascii_lowercase
for _ in range(0,8):
    randomsalt += random.choice(choices)
print crypt.crypt(password, '$6$%s$' % randomsalt)

Answer 15

$ htpasswd -c /tmp/my_hash user1
New password: 
Re-type new password: 
Adding password for user user1
$ cat /tmp/my_hash
user1:$apr1$oj1ypcQz$4.6lFVtKz2nr8acsQ8hD30

Obviously, you just grab the 2nd field, and can delete the file once you're added it to shadow or for use with sudo (still most likely shadow).

Answer 16

Take a look at the man page for crypt (3) and I think that you will find that the crypt tool has been updated to use glibc and sha256 ($5) and sha512 ($6) , multiple rounds, much larger salt, and so on.

Clearly SHA512 is relevant to how /etc/shadow works.

That said, this web page was very helpful - in particular the MKPASSWD , as this solved MY problem.

Given a potentially "lost" password, I can use MKPASSWD and the salt, to generate the SHA512 hash, and confirm/deny a list of candidate passwords.

I would use John the ripper - but at least on my hardware (Raspberry Pi) and my budget (nothing) - John can't do it (it does not seem to support the advanced crypt/glibc stuff in the raspbian free version.

Mind you, since I have enough permission to read/write /etc/shadow, I COULD just overwrite the hash, and get on with life... this is an academic exercise.

---

NOTES Glibc notes The glibc2 version of this function supports additional encryp‐ tion algorithms.

   If salt is a  character  string  starting  with  the  characters
   "$id$" followed by a string terminated by "$":

          $id$salt$encrypted

   then instead of using the DES machine, id identifies the encryp‐
   tion method used and this then determines how the  rest  of  the
   password  string is interpreted.  The following values of id are
   supported:

          ID  | Method
          ─────────────────────────────────────────────────────────
          1   | MD5
          2a  | Blowfish (not in mainline glibc; added in some
              | Linux distributions)
          5   | SHA-256 (since glibc 2.7)
          6   | SHA-512 (since glibc 2.7)

   So  $5$salt$encrypted  is  an  SHA-256  encoded   password   and
   $6$salt$encrypted is an SHA-512 encoded one.

Answer 17

If you need an alternative to one-liners written in perl/python, mkpasswd is a good match. While it is included in the Debian whois package, it is missing on CentOS/RHEL systems. I've modified the Debian version of mkpasswd and included a stronger salt generation mechanism based on OpenSSL. The resulting binary fully preserves all Debian's version command line parameters. The code is avaiable on github and should compile on any Linux flavor: mkpasswd

Answer 18

I'm not sure how SHA-512 is related to /etc/shadow. These passwords are crypted.

But if you want a password hashed with SHA-512 you can do this by echo -n the_password | sha512sum. You can't use the output for /etc/shadow.